Disclaimer: Opinions expressed are solely my own and do not reflect the views or opinions of my employer or any other affiliated entities. Any sponsored content featured on this blog is independent and does not imply endorsement by, nor relationship with, my employer or affiliated organisations.
If you’ve been following my blog, you've probably noticed I preach a lot about the feedback loop. I wanted to do a deep dive on why it's actually important, what we get out of it, and whether it's one of those things everyone talks about but nobody implements right.
My first real go at a feedback loop in cybersecurity was back when I was building the LEAD framework for Threat Intelligence at Adobe. I started because most threat intel programs I saw had no feedback mechanism. The idea was simple: get some Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs), and throw them over the wall to the SecOps team for detection and investigation. End of story. The problem was, I needed metrics to prove the program was working. "No hits based on IOCs" is a terrible metric; I wanted more. I needed to understand if the intel was actually useful or just noise. And yeah, it took a year of hard work, but we got it implemented, and the results were awesome.
Later, when I was running a SecOps engineering team, I figured, why not use the same logic for Detection Engineering and Automation? That’s how I came up with the framework mapping SANS IR stages to Detection Engineering, Standard Operating Procedures (SOPs), and Automation. After that, I created the DSAEM Loop, which breaks it down even further: Detection Engineering > Standard operating Procedures > Automation & Ai Agents > Threat Emulation > Metrics. It makes the whole thing even easier to grasp.
This edition is sponsored by Conifers AI
Achieve SOC excellence with the smart use of AI
Conifers is the AI SOC platform that delivers deep, contextual investigations, adapted to your own data, decisions, and risk tolerance. Continuously learning and adapting to scale your SOC effectiveness and efficiency, Conifers becomes a force multiplier for your team.
Going to Black Hat? Want to learn more? Let’s meet!
Why Bother With a SecOps Feedback Loop?
Okay, enough storytelling. Why is a well-implemented SecOps feedback loop so critical?
📊You can actually measure improvement
Instead of just fighting fires and being stuck in an endless loop of alert triage, you can see if you're getting better.
🕵🏻♂️ For detection engineering
You can see how your detections are performing. You know what needs to be improved, fine-tuned, or maybe just thrown in the bin.
📑For SOPs
You can measure how effective your processes are. Are people actually following them, or do they need an update because they’re completely out of touch with reality?
⛮ And for automation
You can see which playbooks are actually being used. How much are they contributing? Are they adding real Full-Time Equivalent (FTE) value, or are they just sitting there, triggering once a month to save an analyst 10 minutes?
Breaking Down the Process
So, let’s break it down. What SecOps elements do we need to create this loop?
It all starts with the Preparation phase. We build guardrails, put security controls in place, and monitor for threats to keep the bad guys out. First, we build a Threat Profile for our organization, understanding who might target us and what our "crown jewels" are. Once that's sorted, we start collecting logs, starting with our most critical assets and working our way down.
Now for the interesting part: Detection Engineering. This is where we deploy all the detections we need. After that, the alerts go to the SOC team to build runbooks. Then it's back to the automation folks to see what steps can be automated.
Everything is running, alerts are firing, and investigations are kicking off. False positives are going through the roof. Maybe you catch some ransomware before it does real damage, or you get spooked by a false positive IOC related to APT BearPanda12347. You might think everything is working fine. The problem is, if you don't have a good way of feeding this information back into a Lessons Learned process, it's all for nothing. It'll work until it doesn't. And then you're left with broken processes, detections that suck, SOPs no one follows, and automations that never run.
The DSAEM Loop describes this entire lifecycle. It starts with your Detection Engineering, which defines what you're looking for. This feeds into the Standard Operating Procedures that tell your team how to react. Those SOPs are then supercharged by Automation & AI Agents. You validate everything with Threat Emulation, and finally, you wrap it all up with Metrics, which feeds right back into improving your detections. It connects all the dots.
What About the Autonomous (AI) SOC?
Now, many of you are asking how to implement this kind of feedback loop when you're going the full Autonomous SOC route. It’s a great question because throwing AI at a broken process just creates a faster broken process.
Here are the questions you need to be asking any AI SOC vendor:
Does the solution understand the detections it’s ingesting? This is key. To understand the context and what to investigate, the AI needs to grasp the detection logic. After the investigation, it needs to provide feedback and recommendations to improve the detection itself. If the AI is just a black box, you’re losing a massive opportunity to tune your defenses.
How does it handle operating procedures? A one-size-fits-all approach doesn't work. It's important that your SOPs are assigned to your detections and that the platform can access this context to guide its investigation. Some SIEMs let you embed a playbook right in the detection definition, making it easy for an AI SOC platform to use. Can the AI access it, and what will it do with that information?
What about automation and AI agents? This one is tricky. An AI SOC platform can suggest response actions or even trigger them if it's advanced enough. But this is where you need control. You’ll be the one building the automations or configuring the AI SOC solution to act. You need transparency here. An AI agent that just says "I fixed it" without explaining what it did is a nightmare waiting to happen.
Can it support threat emulation? This is another critical piece, but let's take it a step further. The real question is, can the AI SOC solution connect to dedicated threat emulation platforms, like the Breach and Attack Simulation (BAS) tools we're all starting to use? This isn't just about manually running a test and checking the logs. An integration allows you to create a powerful, automated validation loop. Your BAS platform executes an attack scenario, and you can measure exactly how your detections, SOPs, and the AI SOC itself performed. Did it catch the multi-stage attack, or did it only see isolated events? Did it correctly correlate the data to identify the threat? This closes the loop between the 'Emulation' and 'Metrics' parts of your DSAEM framework automatically, providing continuous validation of your security posture.
How does it handle metrics and the feedback loop? You need a good idea of what you want to measure from the start. Build context into your detections so you can get metrics out. I like to measure the manual effort required for a specific SOP; this helps calculate the added FTE from automation. A good AI SOC should not only provide metrics on its own performance (accuracy, speed, false-positive reduction) but also give you the data to improve your entire security program.
Closing Thoughts
The move to Autonomous SOCs is already happening. But this isn’t about replacing people. It’s about stopping the waste. That Tier 1 role where you just chase alerts all day? That’s going away and it should. It’s not security work, it’s clicking.
We’re finally moving toward real engineering work, building detections, tuning signals, and using automation that actually helps. AI can speed things up, but without feedback and tuning, it just makes the mess faster.
The goal isn’t to replace analysts. It’s to give them space to focus on what matters. Building things. Fixing things. Learning stuff. That’s the SOC we should be aiming for. Not perfect but actually worth showing up for.
Vendor Spotlight: Conifers AI
About Conifers.ai
Conifers CognitiveSOC™ is an AI SOC platform that transforms SecOps by adaptively scaling complex incident investigations effectively and efficiently. It continuously ingests incidents and an organization’s business context, adaptively learning and applying that knowledge to deliver more accurate investigations across Tier 1–3 incidents. In addition to enterprise SOCs, CognitiveSOC is also designed for the unique needs of MSSPs, from the operational model to the pricing and technology.
CognitiveSOC uses adaptive learning, deep understanding of business context (data, decisions, risk tolerance), and a feedback loop to help SOC teams solve the hard problems at scale. And we do this with maximum accuracy, environmental awareness, and cost-effectiveness in an easy-to-deploy, non-disruptive solution.
Solving Enterprise and MSSP SOC Challenges
Conifers is purpose-built to solve the challenges and address the pains of enterprise SOCs and MSSPs:
No visibility into SOC impact on the business
The platform’s strategic dashboard helps organizations understand and prove proactive risk reduction, and team efficiency and effectiveness, not just standard MTT(x)
One-size-fits-all tool approach doesn’t fit us
Conifers continuously ingests and adapts investigations based on an organization’s own data, historical behavior and risk tolerances (or that of their tenants’)
Repetitive tasks = inconsistent results and analyst burnout
Conifers’ robust feedback loop refines detections for higher
accuracy and reduced noise
Another new tool, another new distraction
The CognitiveSOC works within your existing incident management system — no need for ”context switching”
If you would like to learn more about Conifers you can schedule a live demo here.
🏷️ Blog Sponsorship
Want to sponsor a future edition of the Cybersecurity Automation Blog? Reach out to start the conversation. 🤝
🗓️ Request a Services Call
If you want to get on a call and have a discussion about security automation, you can book some time here
Join as a top supporter of our blog to get special access to the latest content and help keep our community going.
As an added benefit, each Ultimate Supporter will receive a link to the editable versions of the visuals used in our blog posts. This exclusive access allows you to customise and utilise these resources for your own projects and presentations.